4870376811dd3c5eabe924c793079629d13a7813bf1a3014b5333b132be50365

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	SERVERS.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	SERVERS.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	888RAT.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	888RAT.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	SERVERS.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	888RAT.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	SERVERS.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	888RAT.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	888Rat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	888RAT.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	SERVERS.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	888RAT.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	SERVERS.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	888RAT.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	888RAT.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	SERVERS.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	SERVERS.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	SERVERS.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	SERVERS.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	888RAT.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	SERVERS.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	SERVERS.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	888RAT.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	SERVERS.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	SERVERS.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	888RAT.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	888RAT.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	888RAT.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	888RAT.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	SERVERS.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	888RAT.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	888RAT.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	Windows-KB890830-x64-V5.118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	888RAT.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	888RAT.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	888RAT.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	SERVERS.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	888RAT.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	SERVERS.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	SERVERS.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	888RAT.EXE

Executes dropped EXE 46 IoCs

pid	Process
3932	SERVERS.EXE
4884	SERVERS.EXE
2884	888RAT.EXE
4404	SERVERS.EXE
560	888RAT.EXE
3228	888RAT.EXE
5284	SERVERS.EXE
5452	SERVERS.EXE
5604	SERVERS.EXE
5828	SERVERS.EXE
6080	888RAT.EXE
4904	SERVERS.EXE
5340	888RAT.EXE
5696	SERVERS.EXE
5888	SERVERS.EXE
5784	888RAT.EXE
6052	SERVERS.EXE
2912	SERVERS.EXE
5284	SERVERS.EXE
5872	SERVERS.EXE
2924	888RAT.EXE
4564	Process not Found
5844	SERVERS.EXE
2952	SERVERS.EXE
1264	SERVERS.EXE
6036	888RAT.EXE
324	SERVERS.EXE
5564	SERVERS.EXE
5524	888RAT.EXE
2196	SERVERS.EXE
5804	SERVERS.EXE
6096	SERVERS.EXE
5904	Process not Found
3892	888RAT.EXE
1752	Process not Found
4432	SERVERS.EXE
5796	888RAT.EXE
4632	Process not Found
1120	SERVERS.EXE
5268	SERVERS.EXE
4864	888RAT.EXE
5516	888RAT.EXE
2804	SERVERS.EXE
2284	Process not Found
3520	Process not Found
1752	Process not Found

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GeForce = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\SERVERS.EXE\""	SERVERS.EXE

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
36	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

pid	Process
5580	schtasks.exe
5988	Process not Found

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3992	Process not Found

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3811856890-180006922-3689258494-1000\{2C9DD782-A12C-40C8-ABAD-D035F4B2F692}	SERVERS.EXE

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
5084	Process not Found

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
1380	msedge.exe
1380	msedge.exe
4856	taskmgr.exe
4856	taskmgr.exe
4412	msedge.exe
4412	msedge.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
3932	SERVERS.EXE
3932	SERVERS.EXE
3932	SERVERS.EXE
3932	SERVERS.EXE
3932	SERVERS.EXE
3932	SERVERS.EXE
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
5620	identity_helper.exe
5620	identity_helper.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs

pid	Process
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4856	taskmgr.exe
Token: SeSystemProfilePrivilege	4856	taskmgr.exe
Token: SeCreateGlobalPrivilege	4856	taskmgr.exe
Token: SeDebugPrivilege	3932	SERVERS.EXE

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4856	taskmgr.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4856	taskmgr.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe
4856	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3932	SERVERS.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4412 wrote to memory of 4652	4412	msedge.exe	93
PID 4412 wrote to memory of 4652	4412	msedge.exe	93
PID 4008 wrote to memory of 1492	4008	888Rat.exe	302
PID 4008 wrote to memory of 1492	4008	888Rat.exe	302
PID 4008 wrote to memory of 1492	4008	888Rat.exe	302
PID 4008 wrote to memory of 3932	4008	888Rat.exe	96
PID 4008 wrote to memory of 3932	4008	888Rat.exe	96
PID 1492 wrote to memory of 3464	1492	SERVERS.EXE	97
PID 1492 wrote to memory of 3464	1492	SERVERS.EXE	97
PID 1492 wrote to memory of 3464	1492	SERVERS.EXE	97
PID 1492 wrote to memory of 4884	1492	SERVERS.EXE	98
PID 1492 wrote to memory of 4884	1492	SERVERS.EXE	98
PID 4412 wrote to memory of 3176	4412	msedge.exe	101
PID 4412 wrote to memory of 3176	4412	msedge.exe	101
PID 4412 wrote to memory of 3176	4412	msedge.exe	101
PID 4412 wrote to memory of 3176	4412	msedge.exe	101
PID 4412 wrote to memory of 3176	4412	msedge.exe	101
PID 4412 wrote to memory of 3176	4412	msedge.exe	101
PID 4412 wrote to memory of 3176	4412	msedge.exe	101
PID 4412 wrote to memory of 3176	4412	msedge.exe	101
PID 4412 wrote to memory of 3176	4412	msedge.exe	101
PID 4412 wrote to memory of 3176	4412	msedge.exe	101
PID 4412 wrote to memory of 3176	4412	msedge.exe	101
PID 4412 wrote to memory of 3176	4412	msedge.exe	101
PID 4412 wrote to memory of 3176	4412	msedge.exe	101
PID 4412 wrote to memory of 3176	4412	msedge.exe	101
PID 4412 wrote to memory of 3176	4412	msedge.exe	101
PID 4412 wrote to memory of 3176	4412	msedge.exe	101
PID 4412 wrote to memory of 3176	4412	msedge.exe	101
PID 4412 wrote to memory of 3176	4412	msedge.exe	101
PID 4412 wrote to memory of 3176	4412	msedge.exe	101
PID 4412 wrote to memory of 3176	4412	msedge.exe	101
PID 4412 wrote to memory of 3176	4412	msedge.exe	101
PID 4412 wrote to memory of 3176	4412	msedge.exe	101
PID 4412 wrote to memory of 3176	4412	msedge.exe	101
PID 4412 wrote to memory of 3176	4412	msedge.exe	101
PID 4412 wrote to memory of 3176	4412	msedge.exe	101
PID 4412 wrote to memory of 3176	4412	msedge.exe	101
PID 4412 wrote to memory of 3176	4412	msedge.exe	101
PID 4412 wrote to memory of 3176	4412	msedge.exe	101
PID 4412 wrote to memory of 3176	4412	msedge.exe	101
PID 4412 wrote to memory of 3176	4412	msedge.exe	101
PID 4412 wrote to memory of 3176	4412	msedge.exe	101
PID 4412 wrote to memory of 3176	4412	msedge.exe	101
PID 4412 wrote to memory of 3176	4412	msedge.exe	101
PID 4412 wrote to memory of 3176	4412	msedge.exe	101
PID 4412 wrote to memory of 3176	4412	msedge.exe	101
PID 4412 wrote to memory of 3176	4412	msedge.exe	101
PID 4412 wrote to memory of 3176	4412	msedge.exe	101
PID 4412 wrote to memory of 3176	4412	msedge.exe	101
PID 4412 wrote to memory of 3176	4412	msedge.exe	101
PID 4412 wrote to memory of 3176	4412	msedge.exe	101
PID 4412 wrote to memory of 1380	4412	msedge.exe	100
PID 4412 wrote to memory of 1380	4412	msedge.exe	100
PID 4412 wrote to memory of 4668	4412	msedge.exe	102
PID 4412 wrote to memory of 4668	4412	msedge.exe	102
PID 4412 wrote to memory of 4668	4412	msedge.exe	102
PID 4412 wrote to memory of 4668	4412	msedge.exe	102
PID 4412 wrote to memory of 4668	4412	msedge.exe	102
PID 4412 wrote to memory of 4668	4412	msedge.exe	102
PID 4412 wrote to memory of 4668	4412	msedge.exe	102
PID 4412 wrote to memory of 4668	4412	msedge.exe	102
PID 4412 wrote to memory of 4668	4412	msedge.exe	102
PID 4412 wrote to memory of 4668	4412	msedge.exe	102

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4856

C:\Users\Admin\AppData\Local\Temp\888Rat.exe
"C:\Users\Admin\AppData\Local\Temp\888Rat.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4008
- C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
  "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
  2⤵
  PID:1492
- - C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
    "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
    3⤵
    - Checks computer location settings
    PID:3464
  - - C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
      "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
      4⤵
      PID:4992
    - - C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        5⤵
        
        PID:1720
      - C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        6⤵
        Checks computer location settings
        
        PID:944
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        7⤵
        Checks computer location settings
        
        PID:1720
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        8⤵
        
        PID:5268
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        9⤵
        
        PID:5408
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        10⤵
        Executes dropped EXE
        
        PID:5604
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        10⤵
        
        PID:5572
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        11⤵
        
        PID:5784
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        12⤵
        
        PID:6052
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        13⤵
        Checks computer location settings
        
        PID:5160
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        14⤵
        
        PID:5272
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        15⤵
        
        PID:3364
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        16⤵
        Checks computer location settings
        
        PID:4328
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        17⤵
        
        PID:5784
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        17⤵
        
        PID:5824
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        18⤵
        
        PID:5188
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        19⤵
        
        PID:5608
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        20⤵
        Checks computer location settings
        
        PID:5708
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        21⤵
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        22⤵
        Checks computer location settings
        
        PID:4020
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        23⤵
        
        PID:992
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        24⤵
        
        PID:1888
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        25⤵
        
        PID:5860
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        26⤵
        
        PID:5496
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        27⤵
        
        PID:6036
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        27⤵
        
        PID:6128
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        28⤵
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        29⤵
        
        PID:3748
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        30⤵
        Checks computer location settings
        
        PID:5592
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        31⤵
        
        PID:5428
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        32⤵
        
        PID:5624
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        33⤵
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        34⤵
        Checks computer location settings
        
        PID:1292
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        35⤵
        
        PID:5428
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        36⤵
        
        PID:5780
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        37⤵
        
        PID:5124
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        38⤵
        Checks computer location settings
        
        PID:2448
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        39⤵
        
        PID:4868
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        40⤵
        Checks computer location settings
        
        PID:1668
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        41⤵
        
        PID:5652
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        42⤵
        
        PID:5644
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        43⤵
        
        PID:5704
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        44⤵
        
        PID:2848
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        45⤵
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        46⤵
        
        PID:5228
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        47⤵
        
        PID:5848
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        48⤵
        
        PID:2212
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        49⤵
        
        PID:5652
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        49⤵
        
        PID:5268
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        50⤵
        
        PID:4456
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        51⤵
        
        PID:4632
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        51⤵
        
        PID:4036
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        52⤵
        
        PID:3800
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        53⤵
        
        PID:5932
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        54⤵
        
        PID:3980
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        55⤵
        
        PID:1020
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        56⤵
        
        PID:2364
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        56⤵
        
        PID:5128
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        57⤵
        
        PID:5380
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        58⤵
        
        PID:5368
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        59⤵
        
        PID:5688
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        60⤵
        
        PID:5292
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        61⤵
        
        PID:3936
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        62⤵
        
        PID:4784
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        63⤵
        
        PID:6112
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        64⤵
        
        PID:1112
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        64⤵
        
        PID:2848
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        65⤵
        
        PID:6096
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        66⤵
        
        PID:4472
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        67⤵
        
        PID:3232
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        68⤵
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        69⤵
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        70⤵
        
        PID:3952
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        71⤵
        
        PID:5940
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        72⤵
        
        PID:4036
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        73⤵
        
        PID:3748
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        74⤵
        Checks computer location settings
        
        PID:6128
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        75⤵
        
        PID:4368
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        76⤵
        
        PID:5944
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        77⤵
        Executes dropped EXE
        
        PID:560
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        78⤵
        
        PID:4752
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        79⤵
        
        PID:3816
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        80⤵
        
        PID:4392
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        81⤵
        
        PID:4088
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        82⤵
        
        PID:4924
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        83⤵
        
        PID:5488
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        83⤵
        
        PID:5732
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        84⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:1492
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        84⤵
        
        PID:5416
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        85⤵
        Checks computer location settings
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        86⤵
        
        PID:4752
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        86⤵
        
        PID:4192
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        87⤵
        
        PID:3952
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        87⤵
        
        PID:4580
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        88⤵
        
        PID:3468
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        89⤵
        
        PID:1896
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        90⤵
        
        PID:3816
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        90⤵
        
        PID:2884
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        91⤵
        
        PID:5364
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        92⤵
        
        PID:1112
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        93⤵
        
        PID:5648
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        94⤵
        Executes dropped EXE
        
        PID:5340
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        95⤵
        
        PID:5852
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        95⤵
        Checks computer location settings
        
        PID:1888
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        96⤵
        
        PID:5956
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        97⤵
        
        PID:2380
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        98⤵
        
        PID:3468
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        99⤵
        
        PID:4792
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        99⤵
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        100⤵
        
        PID:2212
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        100⤵
        
        PID:1200
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        101⤵
        
        PID:5680
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        102⤵
        
        PID:4024
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        103⤵
        
        PID:5432
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        104⤵
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        105⤵
        
        PID:6112
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        106⤵
        
        PID:2748
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        107⤵
        
        PID:3404
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        108⤵
        
        PID:5416
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        109⤵
        
        PID:2948
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        110⤵
        
        PID:2724
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        111⤵
        
        PID:3252
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        112⤵
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        113⤵
        
        PID:632
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        114⤵
        
        PID:4380
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        115⤵
        
        PID:5444
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        116⤵
        Executes dropped EXE
        
        PID:3228
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        117⤵
        
        PID:4828
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        118⤵
        
        PID:5760
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        119⤵
        
        PID:1824
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        120⤵
        
        PID:4388
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        121⤵
        
        PID:1164
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        122⤵
        
        PID:3732
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        123⤵
        
        PID:3896
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        124⤵
        
        PID:4596
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        125⤵
        
        PID:2244
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        126⤵
        
        PID:5672
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        127⤵
        
        PID:5344
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        128⤵
        
        PID:2588
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        129⤵
        
        PID:5288
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        130⤵
        
        PID:3268
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        131⤵
        
        PID:5260
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        132⤵
        
        PID:4864
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        133⤵
        
        PID:5832
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        134⤵
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        134⤵
        
        PID:3668
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        135⤵
        
        PID:5684
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        136⤵
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        137⤵
        
        PID:5436
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        138⤵
        
        PID:6044
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        139⤵
        
        PID:3748
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        140⤵
        
        PID:5168
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        141⤵
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        141⤵
        Executes dropped EXE
        
        PID:5796
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        142⤵
        
        PID:2504
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        143⤵
        
        PID:4900
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        144⤵
        
        PID:5296
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        145⤵
        
        PID:4784
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        146⤵
        
        PID:4704
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        146⤵
        
        PID:5548
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        147⤵
        
        PID:5792
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        148⤵
        
        PID:5544
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        149⤵
        
        PID:2436
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        150⤵
        
        PID:1200
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        151⤵
        
        PID:3732
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        152⤵
        
        PID:5676
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        153⤵
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        154⤵
        
        PID:224
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        155⤵
        
        PID:5476
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        156⤵
        Executes dropped EXE
        
        PID:2884
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        157⤵
        
        PID:768
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        158⤵
        
        PID:6100
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        159⤵
        
        PID:2320
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        160⤵
        
        PID:4828
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        161⤵
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        162⤵
        
        PID:5552
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        163⤵
        
        PID:5992
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        163⤵
        
        PID:1492
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        164⤵
        
        PID:6004
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        164⤵
        
        PID:3512
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        165⤵
        
        PID:648
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        166⤵
        
        PID:516
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        167⤵
        
        PID:2176
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        168⤵
        
        PID:768
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        169⤵
        
        PID:5296
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        170⤵
        
        PID:3596
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        171⤵
        
        PID:6020
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        172⤵
        
        PID:5544
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        172⤵
        
        PID:2244
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        173⤵
        
        PID:4064
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        174⤵
        
        PID:5420
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        175⤵
        
        PID:3512
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        176⤵
        
        PID:4472
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        177⤵
        
        PID:6068
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        178⤵
        
        PID:5240
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        179⤵
        
        PID:2176
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        180⤵
        
        PID:4840
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        181⤵
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        182⤵
        
        PID:4760
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        183⤵
        
        PID:5444
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        184⤵
        
        PID:5552
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        185⤵
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        186⤵
        
        PID:1136
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        187⤵
        
        PID:5256
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        188⤵
        
        PID:2540
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        189⤵
        
        PID:4088
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        190⤵
        
        PID:2108
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        191⤵
        Checks computer location settings
        
        PID:5496
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        192⤵
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        193⤵
        
        PID:3980
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        194⤵
        
        PID:1312
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        195⤵
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        196⤵
        
        PID:2544
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        197⤵
        
        PID:5328
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        198⤵
        
        PID:700
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        199⤵
        
        PID:400
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        200⤵
        
        PID:4008
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        200⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5784
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        201⤵
        
        PID:2244
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        202⤵
        
        PID:2540
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        203⤵
        
        PID:3600
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        203⤵
        
        PID:4608
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        204⤵
        
        PID:6068
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        205⤵
        
        PID:4132
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        205⤵
        
        PID:1164
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        206⤵
        
        PID:4704
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        206⤵
        Executes dropped EXE
        
        PID:2924
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        207⤵
        
        PID:316
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        208⤵
        
        PID:4456
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        209⤵
        
        PID:1244
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        210⤵
        
        PID:4760
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        210⤵
        
        PID:5268
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        211⤵
        
        PID:3800
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        212⤵
        
        PID:5724
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        213⤵
        
        PID:4752
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        214⤵
        
        PID:5420
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        214⤵
        
        PID:5076
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        215⤵
        
        PID:3824
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        216⤵
        
        PID:1128
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        217⤵
        
        PID:5132
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        218⤵
        
        PID:6068
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        219⤵
        
        PID:4804
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        220⤵
        
        PID:4192
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        220⤵
        
        PID:972
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        221⤵
        
        PID:2724
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        222⤵
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        223⤵
        
        PID:5648
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        224⤵
        
        PID:6076
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        225⤵
        
        PID:5724
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        226⤵
        
        PID:5512
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        227⤵
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        227⤵
        
        PID:792
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        228⤵
        
        PID:3824
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        229⤵
        
        PID:3088
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        230⤵
        
        PID:912
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        231⤵
        
        PID:4368
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        231⤵
        
        PID:872
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        232⤵
        
        PID:5240
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        232⤵
        
        PID:4952
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        233⤵
        
        PID:2760
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        233⤵
        
        PID:4860
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        234⤵
        
        PID:1896
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        235⤵
        
        PID:4308
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        236⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        237⤵
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        238⤵
        
        PID:1212
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        238⤵
        
        PID:5416
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        239⤵
        
        PID:1360
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        240⤵
        
        PID:5832
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        241⤵
        
        PID:5060
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        242⤵
        
        PID:2760
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        243⤵
        Executes dropped EXE
        
        PID:5516
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        244⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        245⤵
        
        PID:4008
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        245⤵
        
        PID:5600
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        246⤵
        
        PID:4196
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        247⤵
        
        PID:4488
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        248⤵
        
        PID:5188
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        249⤵
        
        PID:3436
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        250⤵
        
        PID:632
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        251⤵
        
        PID:5472
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        252⤵
        
        PID:3584
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        253⤵
        
        PID:4200
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        254⤵
        
        PID:3364
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        255⤵
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        256⤵
        
        PID:5076
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        257⤵
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        258⤵
        
        PID:5600
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        259⤵
        
        PID:5964
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        260⤵
        
        PID:4408
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        261⤵
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        261⤵
        
        PID:960
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        262⤵
        
        PID:4348
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        263⤵
        
        PID:548
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        264⤵
        
        PID:3992
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        264⤵
        
        PID:4016
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        265⤵
        
        PID:5648
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        266⤵
        
        PID:6028
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        267⤵
        
        PID:6100
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        268⤵
        
        PID:2648
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        269⤵
        
        PID:804
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        270⤵
        
        PID:4760
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        271⤵
        
        PID:5512
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        271⤵
        
        PID:5276
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        272⤵
        
        PID:5568
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        273⤵
        
        PID:5964
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        274⤵
        
        PID:6020
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        275⤵
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        276⤵
        
        PID:5316
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        277⤵
        
        PID:4032
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        278⤵
        
        PID:5880
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        279⤵
        
        PID:5772
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        280⤵
        
        PID:5940
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        280⤵
        
        PID:3856
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        281⤵
        
        PID:5060
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        282⤵
        
        PID:5992
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        282⤵
        
        PID:5664
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        283⤵
        
        PID:4548
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        283⤵
        
        PID:5916
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        284⤵
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        285⤵
        
        PID:4612
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        286⤵
        
        PID:2880
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        287⤵
        
        PID:1884
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        287⤵
        
        PID:6108
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        288⤵
        
        PID:2808
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        289⤵
        
        PID:4688
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        290⤵
        
        PID:892
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        291⤵
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        292⤵
        
        PID:3988
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        293⤵
        Executes dropped EXE
        
        PID:3892
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        294⤵
        
        PID:1164
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        295⤵
        
        PID:4932
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        296⤵
        
        PID:5648
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        297⤵
        
        PID:4804
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        298⤵
        
        PID:852
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        299⤵
        
        PID:4088
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        300⤵
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        300⤵
        
        PID:452
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        301⤵
        
        PID:2540
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        302⤵
        
        PID:6004
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        303⤵
        
        PID:792
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        304⤵
        
        PID:6132
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        305⤵
        
        PID:4220
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        306⤵
        Checks computer location settings
        
        PID:5188
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        306⤵
        
        PID:4156
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        307⤵
        
        PID:4548
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        308⤵
        
        PID:912
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        309⤵
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        310⤵
        
        PID:4820
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        311⤵
        
        PID:1368
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        312⤵
        
        PID:1896
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        313⤵
        
        PID:4108
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        314⤵
        
        PID:5148
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        315⤵
        
        PID:4840
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        316⤵
        
        PID:6020
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        317⤵
        
        PID:4224
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        318⤵
        
        PID:376
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        319⤵
        
        PID:5904
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        320⤵
        
        PID:3664
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        321⤵
        
        PID:2936
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        322⤵
        
        PID:5372
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        323⤵
        
        PID:5672
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        324⤵
        
        PID:5856
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        325⤵
        
        PID:6080
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        326⤵
        
        PID:3592
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        327⤵
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        328⤵
        
        PID:6096
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        329⤵
        
        PID:3816
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        329⤵
        Checks computer location settings
        
        PID:5288
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        330⤵
        
        PID:5916
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        331⤵
        
        PID:5624
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        332⤵
        
        PID:4684
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        333⤵
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        334⤵
        
        PID:6084
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        335⤵
        
        PID:5324
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        335⤵
        
        PID:5924
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        336⤵
        
        PID:1352
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        337⤵
        Checks computer location settings
        
        PID:5272
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        338⤵
        
        PID:1340
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        339⤵
        
        PID:948
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        340⤵
        
        PID:3480
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        340⤵
        
        PID:3996
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        341⤵
        
        PID:5356
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        342⤵
        
        PID:3500
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        343⤵
        
        PID:464
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        344⤵
        
        PID:5584
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        345⤵
        
        PID:4388
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        346⤵
        
        PID:5472
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        347⤵
        
        PID:3956
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        348⤵
        
        PID:3780
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        349⤵
        
        PID:3872
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        350⤵
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        351⤵
        
        PID:5352
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        351⤵
        
        PID:5716
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        352⤵
        
        PID:1336
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        353⤵
        
        PID:5056
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        354⤵
        
        PID:680
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        355⤵
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        356⤵
        Checks computer location settings
        
        PID:4992
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        357⤵
        
        PID:5456
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        358⤵
        
        PID:4008
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        359⤵
        
        PID:384
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        360⤵
        
        PID:3368
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        361⤵
        
        PID:5044
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        362⤵
        
        PID:464
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        363⤵
        
        PID:688
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        364⤵
        
        PID:5432
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        365⤵
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        366⤵
        
        PID:4712
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        367⤵
        
        PID:4452
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        368⤵
        
        PID:6120
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        369⤵
        
        PID:3908
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        370⤵
        
        PID:4280
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        371⤵
        
        PID:4016
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        372⤵
        
        PID:5968
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        373⤵
        
        PID:5936
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        373⤵
        
        PID:3856
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        374⤵
        
        PID:1336
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        375⤵
        
        PID:5008
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        376⤵
        
        PID:4752
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        376⤵
        
        PID:6068
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        377⤵
        
        PID:4212
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        378⤵
        
        PID:3372
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        379⤵
        
        PID:1824
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        380⤵
        
        PID:3300
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        381⤵
        
        PID:4156
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        382⤵
        
        PID:384
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        383⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        384⤵
        
        PID:5192
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        385⤵
        
        PID:4480
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        386⤵
        
        PID:5904
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        387⤵
        
        PID:728
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        388⤵
        
        PID:6072
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        389⤵
        
        PID:1260
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        390⤵
        
        PID:3984
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        391⤵
        
        PID:1464
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        392⤵
        
        PID:5296
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        393⤵
        Executes dropped EXE
        
        PID:6080
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        394⤵
        
        PID:5036
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        395⤵
        
        PID:1088
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        395⤵
        
        PID:5664
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        396⤵
        
        PID:3800
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        397⤵
        
        PID:5228
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        398⤵
        
        PID:4812
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        399⤵
        Executes dropped EXE
        
        PID:6036
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        400⤵
        
        PID:6008
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        401⤵
        
        PID:4932
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        402⤵
        
        PID:5780
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        403⤵
        
        PID:4568
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        404⤵
        
        PID:6104
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        405⤵
        Executes dropped EXE
        
        PID:6096
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        405⤵
        Executes dropped EXE
        
        PID:5524
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        406⤵
        
        PID:4416
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        407⤵
        
        PID:5672
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        408⤵
        
        PID:5792
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        408⤵
        
        PID:5824
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        409⤵
        
        PID:4224
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        410⤵
        
        PID:2116
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        411⤵
        
        PID:5840
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        412⤵
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        413⤵
        
        PID:5968
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        413⤵
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        414⤵
        
        PID:5848
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        415⤵
        
        PID:4820
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        416⤵
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        417⤵
        
        PID:4740
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        418⤵
        
        PID:4664
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        419⤵
        Checks computer location settings
        
        PID:5704
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        420⤵
        
        PID:3808
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        421⤵
        
        PID:232
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        422⤵
        
        PID:3940
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        423⤵
        
        PID:4912
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        423⤵
        
        PID:5152
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        424⤵
        
        PID:1088
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        425⤵
        
        PID:3572
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        426⤵
        
        PID:4016
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        427⤵
        
        PID:3480
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        428⤵
        
        PID:688
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        429⤵
        
        PID:1200
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        430⤵
        
        PID:728
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        431⤵
        
        PID:4336
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        432⤵
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        433⤵
        
        PID:4596
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        434⤵
        
        PID:3868
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        435⤵
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        436⤵
        
        PID:2092
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        437⤵
        
        PID:4700
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        438⤵
        
        PID:4860
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        439⤵
        
        PID:488
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        440⤵
        
        PID:3552
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        441⤵
        
        PID:4036
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        442⤵
        
        PID:5492
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        443⤵
        
        PID:5432
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        444⤵
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        444⤵
        
        PID:1012
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        445⤵
        
        PID:5644
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        446⤵
        
        PID:5456
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        447⤵
        
        PID:4372
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        448⤵
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        449⤵
        
        PID:5544
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        450⤵
        
        PID:4828
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        451⤵
        
        PID:3744
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        452⤵
        
        PID:5320
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        453⤵
        
        PID:3572
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        454⤵
        
        PID:4564
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        455⤵
        
        PID:932
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        456⤵
        
        PID:5624
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        457⤵
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        458⤵
        
        PID:4768
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        459⤵
        
        PID:216
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        460⤵
        
        PID:6020
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        461⤵
        
        PID:560
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        462⤵
        
        PID:5604
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        463⤵
        
        PID:3868
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        464⤵
        Executes dropped EXE
        
        PID:4864
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        465⤵
        
        PID:3352
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        466⤵
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        467⤵
        Checks computer location settings
        
        PID:5824
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        468⤵
        
        PID:3432
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        469⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        470⤵
        
        PID:5424
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        471⤵
        
        PID:1896
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        472⤵
        
        PID:5492
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        473⤵
        
        PID:4812
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        474⤵
        
        PID:4620
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        475⤵
        
        PID:4820
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        476⤵
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        477⤵
        
        PID:3348
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        478⤵
        
        PID:2884
        
        C:\Users\Admin\AppData\Local\Temp\888RAT.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\888RAT.EXE"
        479⤵
        
        PID:5456
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        479⤵
        
        PID:5652
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        478⤵
        
        PID:2352
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        477⤵
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        476⤵
        
        PID:560
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        475⤵
        
        PID:1004
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        474⤵
        
        PID:4784
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        473⤵
        
        PID:6032
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        472⤵
        
        PID:4464
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        471⤵
        
        PID:5924
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        470⤵
        
        PID:932
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        469⤵
        
        PID:4036
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        468⤵
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        467⤵
        
        PID:5820
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        466⤵
        Checks computer location settings
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        465⤵
        
        PID:5292
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        464⤵
        
        PID:4700
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        463⤵
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        462⤵
        
        PID:5132
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        461⤵
        
        PID:5976
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        460⤵
        
        PID:4952
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        459⤵
        
        PID:5684
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        458⤵
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        457⤵
        
        PID:4428
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        456⤵
        
        PID:1880
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        455⤵
        
        PID:3232
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        454⤵
        
        PID:5716
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        453⤵
        
        PID:2584
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        452⤵
        
        PID:3664
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        451⤵
        Checks computer location settings
        
        PID:2504
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        450⤵
        
        PID:4364
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        449⤵
        
        PID:6116
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        448⤵
        
        PID:2108
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        447⤵
        
        PID:3256
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        446⤵
        
        PID:3592
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        445⤵
        
        PID:5848
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        443⤵
        
        PID:3696
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        442⤵
        
        PID:792
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        441⤵
        
        PID:6060
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        440⤵
        Checks computer location settings
        
        PID:5608
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        439⤵
        Executes dropped EXE
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        438⤵
        
        PID:3436
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        437⤵
        
        PID:4040
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        436⤵
        
        PID:5824
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        435⤵
        
        PID:6000
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        434⤵
        
        PID:3888
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        433⤵
        Executes dropped EXE
        
        PID:5696
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        432⤵
        
        PID:4664
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        431⤵
        
        PID:4440
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        430⤵
        
        PID:5460
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        429⤵
        
        PID:1208
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        428⤵
        
        PID:6132
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        427⤵
        
        PID:376
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        426⤵
        Checks computer location settings
        
        PID:5428
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        425⤵
        
        PID:5452
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        424⤵
        
        PID:2116
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        422⤵
        
        PID:3176
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        421⤵
        
        PID:3248
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        420⤵
        
        PID:2760
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        419⤵
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        418⤵
        
        PID:5544
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        417⤵
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        416⤵
        
        PID:5856
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        415⤵
        
        PID:5752
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        414⤵
        
        PID:5648
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        412⤵
        
        PID:4484
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        411⤵
        
        PID:1200
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        410⤵
        
        PID:4940
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        409⤵
        
        PID:6064
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        407⤵
        
        PID:5864
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        406⤵
        
        PID:6112
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        404⤵
        
        PID:3992
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        403⤵
        
        PID:5876
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        402⤵
        
        PID:1344
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        401⤵
        
        PID:4352
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        400⤵
        
        PID:4740
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        399⤵
        
        PID:4196
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        398⤵
        
        PID:2532
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        397⤵
        
        PID:5968
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        396⤵
        
        PID:2284
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        394⤵
        
        PID:384
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        393⤵
        
        PID:5732
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        392⤵
        
        PID:3860
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        391⤵
        
        PID:1384
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        390⤵
        
        PID:1784
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        389⤵
        
        PID:5576
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        388⤵
        Executes dropped EXE
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        387⤵
        
        PID:4800
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        386⤵
        
        PID:5280
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        385⤵
        
        PID:4572
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        384⤵
        
        PID:5832
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        383⤵
        
        PID:2100
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        382⤵
        
        PID:2532
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        381⤵
        
        PID:5724
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        380⤵
        
        PID:5084
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        379⤵
        Checks computer location settings
        
        PID:5408
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        378⤵
        
        PID:5672
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        377⤵
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        375⤵
        
        PID:4560
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        374⤵
        
        PID:4620
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        372⤵
        
        PID:3816
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        371⤵
        
        PID:3500
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        370⤵
        Checks computer location settings
        
        PID:3364
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        369⤵
        
        PID:3584
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        368⤵
        
        PID:2176
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        367⤵
        Executes dropped EXE
        
        PID:5452
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        366⤵
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        365⤵
        
        PID:3456
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        364⤵
        
        PID:3988
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        363⤵
        
        PID:4952
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        362⤵
        
        PID:5308
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        361⤵
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        360⤵
        
        PID:5628
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        359⤵
        
        PID:4860
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        358⤵
        
        PID:3592
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        357⤵
        
        PID:4664
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        356⤵
        
        PID:2244
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        355⤵
        
        PID:4308
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        354⤵
        
        PID:5800
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        353⤵
        
        PID:2540
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        352⤵
        
        PID:872
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        350⤵
        
        PID:1160
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        349⤵
        
        PID:6060
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        348⤵
        
        PID:3740
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        347⤵
        
        PID:5416
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        346⤵
        
        PID:3492
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        345⤵
        
        PID:3856
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        344⤵
        
        PID:4664
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        343⤵
        
        PID:4880
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        342⤵
        
        PID:4280
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        341⤵
        
        PID:5652
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        339⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        338⤵
        
        PID:3992
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        337⤵
        
        PID:3564
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        336⤵
        
        PID:2376
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        334⤵
        
        PID:5332
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        333⤵
        
        PID:4868
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        332⤵
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        331⤵
        
        PID:4496
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        330⤵
        Checks computer location settings
        
        PID:2504
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        328⤵
        
        PID:5840
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        327⤵
        
        PID:3896
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        326⤵
        
        PID:5212
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        325⤵
        
        PID:4592
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        324⤵
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        323⤵
        
        PID:2052
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        322⤵
        
        PID:1048
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        321⤵
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        320⤵
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        319⤵
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        318⤵
        
        PID:5168
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        317⤵
        
        PID:4212
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        316⤵
        
        PID:852
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        315⤵
        
        PID:5352
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        314⤵
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        313⤵
        
        PID:5996
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        312⤵
        
        PID:5692
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        311⤵
        
        PID:5956
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        310⤵
        
        PID:5468
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        309⤵
        
        PID:4304
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        308⤵
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        307⤵
        
        PID:5924
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        305⤵
        
        PID:5280
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        304⤵
        
        PID:1880
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        303⤵
        
        PID:3368
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        302⤵
        
        PID:4376
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        301⤵
        
        PID:5512
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        299⤵
        
        PID:3888
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        298⤵
        
        PID:5324
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        297⤵
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        296⤵
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        295⤵
        
        PID:6020
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        294⤵
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        293⤵
        
        PID:5856
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        292⤵
        
        PID:5100
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        291⤵
        
        PID:3372
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        290⤵
        
        PID:2116
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        289⤵
        
        PID:5868
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        288⤵
        
        PID:4868
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        286⤵
        
        PID:5852
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        285⤵
        
        PID:3252
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        284⤵
        
        PID:4768
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        281⤵
        
        PID:3380
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        279⤵
        
        PID:4552
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        278⤵
        
        PID:4760
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        277⤵
        
        PID:5820
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        276⤵
        
        PID:5508
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        275⤵
        
        PID:5328
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        274⤵
        
        PID:5436
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        273⤵
        
        PID:5208
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        272⤵
        
        PID:5576
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        270⤵
        
        PID:5992
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        269⤵
        
        PID:4444
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        268⤵
        
        PID:4464
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        267⤵
        
        PID:5076
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        266⤵
        
        PID:3816
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        265⤵
        
        PID:4612
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        263⤵
        
        PID:4280
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        262⤵
        
        PID:5460
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        260⤵
        
        PID:5316
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        259⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        258⤵
        
        PID:948
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        257⤵
        
        PID:3988
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        256⤵
        
        PID:3300
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        255⤵
        
        PID:4212
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        254⤵
        
        PID:3436
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        253⤵
        
        PID:5528
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        252⤵
        
        PID:1380
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        251⤵
        
        PID:2812
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        250⤵
        
        PID:1212
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        249⤵
        
        PID:5600
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        248⤵
        
        PID:3316
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        247⤵
        
        PID:5144
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        246⤵
        
        PID:4032
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        244⤵
        
        PID:2628
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        243⤵
        
        PID:5472
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        242⤵
        
        PID:6100
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        241⤵
        
        PID:4308
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        240⤵
        
        PID:2352
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        239⤵
        
        PID:6080
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        237⤵
        
        PID:4868
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        236⤵
        
        PID:4548
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        235⤵
        
        PID:5060
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        234⤵
        
        PID:4792
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        230⤵
        
        PID:5404
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        229⤵
        
        PID:3992
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        228⤵
        
        PID:3664
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        226⤵
        
        PID:4340
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        225⤵
        
        PID:5060
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        224⤵
        
        PID:4792
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        223⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5268
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        222⤵
        
        PID:1160
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        221⤵
        
        PID:1880
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        219⤵
        
        PID:4660
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        218⤵
        
        PID:1048
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        217⤵
        Checks computer location settings
        
        PID:5312
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        216⤵
        Executes dropped EXE
        
        PID:5828
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        215⤵
        
        PID:3436
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        213⤵
        
        PID:3952
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        212⤵
        
        PID:4796
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        211⤵
        
        PID:4320
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        209⤵
        Checks computer location settings
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        208⤵
        Checks computer location settings
        
        PID:3748
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        207⤵
        
        PID:3564
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        204⤵
        
        PID:5808
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        202⤵
        
        PID:4684
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        201⤵
        Executes dropped EXE
        
        PID:4432
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        199⤵
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        198⤵
        
        PID:3368
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        197⤵
        
        PID:5632
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        196⤵
        
        PID:3552
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        195⤵
        
        PID:4564
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        194⤵
        
        PID:4812
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        193⤵
        
        PID:376
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        192⤵
        
        PID:5884
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        191⤵
        
        PID:3468
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        190⤵
        
        PID:184
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        189⤵
        
        PID:3632
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        188⤵
        
        PID:3740
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        187⤵
        
        PID:1112
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        186⤵
        
        PID:5736
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        185⤵
        
        PID:4224
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        184⤵
        
        PID:5964
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        183⤵
        
        PID:3692
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        182⤵
        
        PID:5748
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        181⤵
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        180⤵
        
        PID:2584
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        179⤵
        
        PID:4272
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        178⤵
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        177⤵
        
        PID:5476
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        176⤵
        Checks computer location settings
        
        PID:992
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        175⤵
        
        PID:3872
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        174⤵
        
        PID:2108
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        173⤵
        
        PID:5828
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        171⤵
        
        PID:6140
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        170⤵
        
        PID:5976
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        169⤵
        
        PID:4700
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        168⤵
        
        PID:5472
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        167⤵
        
        PID:5916
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        166⤵
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        165⤵
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        162⤵
        Checks computer location settings
        
        PID:5260
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        161⤵
        
        PID:488
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        160⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        159⤵
        
        PID:1480
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        158⤵
        
        PID:5492
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        157⤵
        
        PID:5660
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        156⤵
        
        PID:1160
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        155⤵
        
        PID:4780
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        154⤵
        
        PID:2780
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        153⤵
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        152⤵
        
        PID:2396
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        151⤵
        
        PID:5484
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        150⤵
        
        PID:4560
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        149⤵
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        148⤵
        
        PID:4688
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        147⤵
        
        PID:6068
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        145⤵
        
        PID:2272
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        144⤵
        
        PID:1112
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        143⤵
        
        PID:5608
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        142⤵
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        140⤵
        
        PID:4800
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        139⤵
        
        PID:5568
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        138⤵
        
        PID:768
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        137⤵
        
        PID:1212
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        136⤵
        
        PID:5476
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        135⤵
        
        PID:2812
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        133⤵
        
        PID:5488
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        132⤵
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        131⤵
        
        PID:5964
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        130⤵
        
        PID:792
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        129⤵
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        128⤵
        
        PID:6068
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        127⤵
        
        PID:2096
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        126⤵
        
        PID:3936
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        125⤵
        
        PID:5404
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        124⤵
        
        PID:5680
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        123⤵
        
        PID:688
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        122⤵
        
        PID:6132
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        121⤵
        
        PID:4304
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        120⤵
        
        PID:1880
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        119⤵
        
        PID:4464
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        118⤵
        
        PID:3388
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        117⤵
        
        PID:1048
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        116⤵
        
        PID:3456
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        115⤵
        
        PID:5548
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        114⤵
        
        PID:5612
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        113⤵
        
        PID:3908
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        112⤵
        
        PID:4680
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        111⤵
        
        PID:5808
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        110⤵
        
        PID:5092
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        109⤵
        
        PID:5208
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        108⤵
        
        PID:6012
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        107⤵
        
        PID:5968
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        106⤵
        
        PID:5992
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        105⤵
        
        PID:5720
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        104⤵
        
        PID:5648
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        103⤵
        
        PID:5912
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        102⤵
        
        PID:4472
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        101⤵
        
        PID:3316
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        98⤵
        
        PID:4744
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        97⤵
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        96⤵
        
        PID:6004
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        94⤵
        
        PID:1212
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        93⤵
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        92⤵
        
        PID:3516
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        91⤵
        
        PID:5380
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        89⤵
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        88⤵
        
        PID:5124
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        85⤵
        
        PID:5208
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        82⤵
        
        PID:452
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        81⤵
        Executes dropped EXE
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        80⤵
        Modifies registry class
        
        PID:5140
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        79⤵
        
        PID:5772
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        78⤵
        
        PID:3992
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        77⤵
        
        PID:6088
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        76⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        75⤵
        
        PID:5332
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        74⤵
        
        PID:5132
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        73⤵
        
        PID:4564
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        72⤵
        
        PID:5416
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        71⤵
        
        PID:6120
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        70⤵
        
        PID:5408
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        69⤵
        
        PID:3596
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        68⤵
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        67⤵
        
        PID:992
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        66⤵
        
        PID:892
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        65⤵
        
        PID:4632
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        63⤵
        
        PID:5164
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        62⤵
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        61⤵
        
        PID:5400
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        60⤵
        
        PID:452
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        59⤵
        
        PID:4120
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        58⤵
        
        PID:5796
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        57⤵
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        55⤵
        
        PID:5268
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        54⤵
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        53⤵
        
        PID:5548
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        52⤵
        
        PID:4636
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        50⤵
        
        PID:3020
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        48⤵
        
        PID:5452
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        47⤵
        
        PID:4700
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        46⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        45⤵
        
        PID:3520
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        44⤵
        
        PID:2284
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        43⤵
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        42⤵
        
        PID:5516
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        41⤵
        
        PID:4864
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        40⤵
        
        PID:5268
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        39⤵
        Executes dropped EXE
        
        PID:1120
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        38⤵
        
        PID:4632
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        37⤵
        
        PID:5796
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        36⤵
        
        PID:4432
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        35⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        34⤵
        
        PID:5904
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        33⤵
        
        PID:6096
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5804
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        31⤵
        Executes dropped EXE
        
        PID:2196
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        30⤵
        
        PID:5524
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        29⤵
        Executes dropped EXE
        
        PID:5564
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        28⤵
        Executes dropped EXE
        
        PID:324
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        26⤵
        Executes dropped EXE
        
        PID:1264
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        25⤵
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        24⤵
        Executes dropped EXE
        
        PID:5844
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        23⤵
        
        PID:4564
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        22⤵
        
        PID:2924
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        21⤵
        Executes dropped EXE
        
        PID:5872
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        20⤵
        Executes dropped EXE
        
        PID:5284
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        19⤵
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:6052
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        16⤵
        Executes dropped EXE
        
        PID:5888
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        15⤵
        
        PID:5696
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        14⤵
        
        PID:5340
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        13⤵
        Executes dropped EXE
        
        PID:4904
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        12⤵
        
        PID:6080
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        11⤵
        
        PID:5828
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        9⤵
        
        PID:5452
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        8⤵
        
        PID:5284
        
        C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        7⤵
        
        PID:3228
      - C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        6⤵
        
        PID:560
    - - C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
        5⤵
        Executes dropped EXE
        
        PID:4404
  - - C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
      "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
      4⤵
      PID:2884
- - C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
    "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
    3⤵
    - Executes dropped EXE
    PID:4884
- C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
  "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3932
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /tn "WINDOWSSYSTEMHOST" /tr "C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE" /sc MINUTE /MO 1
    3⤵
    - Creates scheduled task(s)
    PID:5580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffbffbd46f8,0x7ffbffbd4708,0x7ffbffbd4718
  2⤵
  PID:4652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,433631042241442200,13778633985210087143,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,433631042241442200,13778633985210087143,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:2
  2⤵
  PID:3176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,433631042241442200,13778633985210087143,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2944 /prefetch:8
  2⤵
  PID:4668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,433631042241442200,13778633985210087143,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
  2⤵
  PID:1680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,433631042241442200,13778633985210087143,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3536 /prefetch:1
  2⤵
  PID:2264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,433631042241442200,13778633985210087143,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4980 /prefetch:1
  2⤵
  PID:2504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,433631042241442200,13778633985210087143,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5016 /prefetch:1
  2⤵
  PID:2156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,433631042241442200,13778633985210087143,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2356 /prefetch:1
  2⤵
  PID:5804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,433631042241442200,13778633985210087143,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3656 /prefetch:1
  2⤵
  PID:5360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,433631042241442200,13778633985210087143,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4952 /prefetch:1
  2⤵
  PID:5248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,433631042241442200,13778633985210087143,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:1
  2⤵
  PID:5260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,433631042241442200,13778633985210087143,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:1
  2⤵
  PID:6136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,433631042241442200,13778633985210087143,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5932 /prefetch:1
  2⤵
  PID:5292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,433631042241442200,13778633985210087143,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6124 /prefetch:1
  2⤵
  PID:5312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,433631042241442200,13778633985210087143,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5896 /prefetch:1
  2⤵
  PID:5288
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,433631042241442200,13778633985210087143,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5928 /prefetch:8
  2⤵
  PID:4784
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,433631042241442200,13778633985210087143,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5928 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,433631042241442200,13778633985210087143,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3496 /prefetch:1
  2⤵
  PID:2424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,433631042241442200,13778633985210087143,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3700 /prefetch:1
  2⤵
  PID:4992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,433631042241442200,13778633985210087143,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:1
  2⤵
  PID:3312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2156,433631042241442200,13778633985210087143,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6920 /prefetch:8
  2⤵
  PID:5768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,433631042241442200,13778633985210087143,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6744 /prefetch:1
  2⤵
  PID:2504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,433631042241442200,13778633985210087143,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6440 /prefetch:1
  2⤵
  PID:4588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,433631042241442200,13778633985210087143,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:1
  2⤵
  PID:1892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2156,433631042241442200,13778633985210087143,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7588 /prefetch:8
  2⤵
  PID:5484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2156,433631042241442200,13778633985210087143,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=7484 /prefetch:8
  2⤵
  PID:5140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2156,433631042241442200,13778633985210087143,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=7472 /prefetch:8
  2⤵
  PID:5692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,433631042241442200,13778633985210087143,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:1
  2⤵
  PID:5800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2156,433631042241442200,13778633985210087143,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5580 /prefetch:8
  2⤵
  PID:3352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,433631042241442200,13778633985210087143,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3476 /prefetch:1
  2⤵
  PID:3512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2156,433631042241442200,13778633985210087143,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7020 /prefetch:8
  2⤵
  PID:5680
- C:\Users\Admin\Downloads\KVRT.exe
  "C:\Users\Admin\Downloads\KVRT.exe"
  2⤵
  PID:112
- - C:\Users\Admin\AppData\Local\Temp\{4ae57f3a-118c-43e2-ad77-749288aeeea5}\39e89ee8.exe
    C:/Users/Admin/AppData/Local/Temp/{4ae57f3a-118c-43e2-ad77-749288aeeea5}/\39e89ee8.exe
    3⤵
    PID:5812

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1184

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2804

C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
1⤵
PID:3892

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:5860

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\StepReset.gif
1⤵
PID:1420
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1420 CREDAT:17410 /prefetch:2
  2⤵
  PID:5472

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
PID:3844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbffbd46f8,0x7ffbffbd4708,0x7ffbffbd4718
  2⤵
  PID:4980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,7978878892841055305,2673261366661364541,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
  2⤵
  PID:5016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,7978878892841055305,2673261366661364541,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
  2⤵
  PID:6104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,7978878892841055305,2673261366661364541,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2876 /prefetch:8
  2⤵
  PID:1048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,7978878892841055305,2673261366661364541,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:4392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,7978878892841055305,2673261366661364541,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:5664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,7978878892841055305,2673261366661364541,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4860 /prefetch:1
  2⤵
  PID:5228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,7978878892841055305,2673261366661364541,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4892 /prefetch:1
  2⤵
  PID:548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,7978878892841055305,2673261366661364541,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:2128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,7978878892841055305,2673261366661364541,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
  2⤵
  PID:2292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,7978878892841055305,2673261366661364541,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:1
  2⤵
  PID:5008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,7978878892841055305,2673261366661364541,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3508 /prefetch:1
  2⤵
  PID:2680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,7978878892841055305,2673261366661364541,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
  2⤵
  PID:3564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,7978878892841055305,2673261366661364541,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5864 /prefetch:1
  2⤵
  PID:5332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2144,7978878892841055305,2673261366661364541,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5396 /prefetch:8
  2⤵
  PID:4572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2144,7978878892841055305,2673261366661364541,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6404 /prefetch:8
  2⤵
  PID:4868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2144,7978878892841055305,2673261366661364541,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5016 /prefetch:8
  2⤵
  PID:1220
- C:\Users\Admin\Downloads\Windows-KB890830-x64-V5.118.exe
  "C:\Users\Admin\Downloads\Windows-KB890830-x64-V5.118.exe"
  2⤵
  - Checks computer location settings
  PID:5572
- - C:\Windows\system32\MRT.exe
    "C:\Windows\system32\MRT.exe"
    3⤵
    PID:1676

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3472

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4688

C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
1⤵
PID:3508

C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
C:\Users\Admin\AppData\Local\Temp\SERVERS.EXE
1⤵
PID:372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery